Forcing users to install a root certificate enables the certificate owner to decrypt almost all their Internet traffic. This capability is allowed primarily for enterprise network monitoring, and is becoming disturbingly popular in schools as well.

Amidst the increasing interest in compelling unsuspecting users to compromise their own encryption, we prompted OSes like Android and iOS to adopt more user-friendly dialogs to explain what’s really going on when you add a new root certificate.

In response, Android 11 is now rolling out significantly improved warnings and user interfaces for certificate management.

Why does this matter?

Certificates enable encryption, like in HTTPS. They tie a domain name (like eff.org) to a public key (a component used for end-to-end encryption). If the domain name is tied to the wrong public key, someone else can decrypt your Internet traffic, so your browser is designed to only accept certificates that are issued by certain trusted entities. Root certificates identify these trusted entities (like Let’s Encrypt) that can issue certificates for other websites.

Manually adding a new root certificate means giving the entity who created it the ability to make fake certificates (with the wrong public key) for every website you connect to. If that owner also has access to your network, they can get past the protections of HTTPS to decrypt nearly all of your Internet traffic.

As encryption becomes more widespread, root certificates will have more power. It is paramount for end-user security that manually adding a root certificate be difficult and accompanied by sufficient and clear warnings. Furthermore, auditing the root certificates that are trusted by your device should be easier. After we wrote a blog post and filed a bug with Android calling on it to do better in these areas, Android 11’s release is leading the charge in user-friendly certificate management.

Firefox, Apple, and Windows, we’re looking at you next

The interface for adding and viewing trusted root certificates in iOS remains as clunky as it was last year. Other popular desktop OSes like macOS and Windows could use improvements, too. Firefox is unique from other browsers in that it maintains its own certificate store—which means it can improve as well. We implore Firefox, Apple, and Windows to improve their certificate warnings and management interfaces.

In the wake of nationwide protests against the police killings of George Floyd and Breonna Taylor, we urge protestors to stay safe, both physically and digitally. Our Surveillance Self Defense (SSD) Guide on attending a protest offers practical tips on how to maintain your privacy and minimize your digital...

This is one of a series of blog posts about President Trump's May 28 Executive Order. Links to other posts are below. The inaptly named Executive Order on Preventing Online Censorship (EO) is a mess on many levels: it’s likely unconstitutional on several grounds, built on false premises, and...

With states beginning to ease shelter-in-place restrictions, the conversation on COVID-19 has turned to questions of when and how we can return to work, take kids to school, or plan air travel.Several countries and U.S. states, including the UK, Italy, Chile, Germany, and California, have expressed interest in...

Stalkers and abusive partners want access to your device for the same reason governments and advertisers do: because “full access to a person's phone is the next best thing to full access to a person's mind,” as EFF Director of Cybersecurity Eva Galperin explains in her TED talk on “stalkerware”...

EFF is proud to announce a new addition to our crack advisory board: security expert and scholar Tadayoshi Kohno. A professor at University of Washington’s Paul G. Allen School of Computer Science & Engineering, Kohno is a researcher whose work focuses on identifying and fixing security flaws in emerging technologies...

This is a technical guide for administrators affected by the STARTTLS Everywhere project. Check out our overview post of the project! The STARTTLS policy list started off as a mechanism for mailservers to learn TLS information about other servers from EFF’s perspective. Since MTA-STS was launched, it has evolved...

This is an overview of the STARTTLS Everywhere project. If your mailserver is affected by these changes, check out our technical deep-dive to securing your mailserver! EFF started our STARTTLS Everywhere project in 2014, in a post-Snowden moment when the technology community banded together to push transport encryption...

UPDATE 4/10: We have edited this post to add details about Zoom’s new security features and defaults.Whether you are on Zoom because your employer or school requires it or you just downloaded it to stay in touch with friends and family, people have rushed to the video chat platform...